People aren’t actually saying that every cloud has an unencrypted lining but they are saying that every website protected by the online security service Cloudflare has been leaking encrypted session and user data—including credit card numbers and passwords—for months now and that millions of affected website users should promptly change their passwords!
Cloudflare, which provides million of online servers/websites with firewall-like traffic-filtering to protect against malicious hacking exploits, such as distributed denial of service attacks, announced on February 23 that it had a long-standing internal memory leak flaw. Cloudflare called it a “parser bug”, while the Internet security community-at-large dubbed it “cloudbleed” for its similarity to the Heartbleed memory overflow bug of three years ago.
It’s comforting how everyone pays lip service to security
The memory leak flaw was brought to Cloudflare’s attention on February 17 by Tavis Ormandy from Google’s Project Zero, which is tasked with finding such hidden code flaws.
World’s platform for change asks you to change your password
Change.org, which hosts millions of online petitions and is one of Cloudflare’s clients, sent out the following vaguely worded email on Saturday (February 25) to all registered users (including myself) recommending that we all change our passwords immediately:
We want you to feel safe when using our services and we have been monitoring this situation closely to ensure it does not affect our users. If you are ever in doubt about the security of your accounts with us, feel free to contact Change·org directly through our Help Center.
In fact, no one is suggesting that there is any evidence that any of these potential memory leaks from hundreds of millions (if not billions) of encrypted web sessions have been exploited by anyone. But it’s a good idea to “refresh” your passwords every so often, regardless of external evidence.
You can cry “Heartbleed”, or “Wolf”, only so many times!
Three things can be assumed to happen as a result of this latest Internet security bug. Firstly, all website users affected will receive a direct notification advising them of the fact and recommending that they change their passwords.
Secondly, the memory leak bug will be fixed.
And thirdly, most Internet users will conclude that this latest dire warning of an Internet security flaw affecting millions and millions of users is much ado about nothing—just like every similar warning of the last few years (not to mention that “world-ending” Y2K bug of the year 2000).
After all, unlike a few of the malicious Microsoft Windows viruses and worms of yesteryear, which visibly destroyed data and took down bazillions of Windows computers, the high-profile software bugs of recent years have appeared to be mostly hype as far as end users are concerned.
The marketing of Internet flaws—but at whom?
Not to say that security flaws are not exploited by malicious coders. And yes, there is online identity theft and online credit card fraud aimed at individuals but the later two categories are very fuzzily documented—with no reliable numbers of actual consumer losses to online fraud.